380 likes | 480 Views
Bootstrapping Security Associations in Wireless (Sensor) Networks. Mario Čagalj University of Split, FESB ACROSS, 2013. Briefly a bout the speaker. Mario Čagalj , Associate Professor Department of E lectronics, University of Split, FESB
E N D
Bootstrapping Security Associations in Wireless (Sensor) Networks Mario ČagaljUniversity of Split, FESB ACROSS, 2013
Briefly about the speaker • Mario Čagalj, Associate Professor • Department of Electronics, University of Split, FESB • Ph.D. degree in Communication Systems from EPFL (École Polytechnique Fédérale de Lausanne) • Scientific work and research interests • Information security, applied cryptography, game theory, energy-efficient communication, HCI, etc. • For more information • http://www.fesb.hr/~mcagalj or mcagalj@fesb.hr
Motivation • Billions of devices will be interconnected in near future • Ericsson forecasts 50 billion M2M connections by 2020 • IoT, M2M, wearable sensor networks, smart metering, etc. • Many technologies/systems • Include low cost and highly constrained devices • Use wireless channels (highly vulnerable) • Operate independently of any authority (are user-centric) • Prerequisites for adoption of such technologies • Data trustworthiness, authenticity and privacy
Motivation • Key element towards secure communication • Some cryptographic (keying) material (pwds, keys, certs) has to be preloaded into communicating devices • However, users are bad when it comes to security • Complicated setup procedures render the securityfeatures useless (e.g., home WiFi networks) • What can we then expect from 2020? attacker user’s devices 2013 2014 2020
Our goal • Develop mechanisms for secure initialization of wireless devices/for bootstrapping initial security associations • User-friendly – easily administered by non-specialists • Scalable – support a reasonably large number of devices • Compatibile with resource constrained devices – lacking usual wired interfaces, displays, keypads, etc. attacker user’s devices 2013 2014 2020
Talk outline • Basic security problem • Optimal message transfer authenticator • Group message authentication protocol • Authentication through presence • Integrity codes
Basic security problem user • Assumptions • high bandwidth public/insecure channel (e.g. radio) • low bandwidth authenticated channel (not secret) • E.g., sound, voice, visible light, etc. • Devices A and B share neither secrets nor certificates • Protect message integrityover thepublic channel • Minimize user’s involvement and hardware requirements message attacker A B
Attacker model • People usually have a wrong mental model • E.g., attacks on Bluetooth (designed for 10m range) • Eavesdropping from more than 1.5 km (BlueSniper rifle) • Thanks to high gain/sensitivity antennas and receivers nominal TX range = B A A B attacker attacker
Straightforward solution • Based on a weak-collision resistant hash function h(·) • Given message m0 easy to calculate a hash value h(m0) • Hard to find different m1such that h(m0)= h(m1) A B m • Receives m • Calculates sB=h(m) • If sA==sB“Accept m” Calculates sA=h(m) sA sA ok high bandwidth insecure channel low bandwidth authenticated channel
Straightforward solution suboptimal • Today, weak-collision implies at least 80-bit hash value • The minimum load over low bandwidth (human) channel • Hash function output sizes tend to increase over time • Vulnerabilities (e.g., SHA-1), processing power increses • E.g., MD5, SHA-1, SHA-2 (128, 160, 256... bit outputs) • More bits over low bandwidth (human) channel implies increased user’s involvement • Big issue when user interacts with constrained devices
Optimal message transfer authenticator • Based on a non-malleable commitment scheme • Functionallity similar to that of an ideal hash function • Transforms message m into commitment/openning pair • To commit to m do: (c,d)=commit(m) and hand outc • To open c do: hand out dandm=open(c,d) • Properties • Once commited to m, cannot change to another m • Message m remins secret until opened using d
Optimal message transfer authenticator • Pick k random bits NB • m,NA=open(c,d) • sB=NA NB • If sA==sB “Accept m” Given message m Pick k random bits NA (c,d)=commit(m,NA) sA=NA NB c A NB B d sA sA ok high bandwidth insecure channel low bandwidth authenticated channel Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)
Optimal message transfer authenticator Pick k random bits NB m,NA=open(c,d) sB=NA NB Accept m Given message m Pick k random bits NA (c,d)=commit(m,NA) sA=NA NB c A NB B d sA sB • If sA==sB“Success” ok high bandwidth insecure channel low bandwidth authenticated channel Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)
Optimal message transfer authenticator Theorem Computationally bounded attacker can succeedwithprobability at most approx 2-k(in a single session), where k is the size of authentication strings sA andsB. • For example, with k=15 bits • Attacker successful with probability 2-15 (i.e., 5-digit PIN) • User’s involvement only 15 bits (i.e., 2 hex digits) • We can optimally trade security and the user’s load • Time-invariant (independent of the employed hash function) • Not the case with the standard solution (min. load at least 80 bits) Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)
Optimal message transfer authenticator • Optimality and time-invariance
Securing Diffie-Hellman key agreement Given gXAPick k random bits NA mA=IDA, gXA,NA (cA,dA)=commit(mA) mB=open(cB,dB) sA=NA NB Secret key KAB= gXAXB Given gXBPick k random bits NB mB=IDB, gXB,NB (cB,dB)=commit(mB) mA=open(cA,dA) sB=NA NB Secret key KAB= gXAXB cA A cB dA B dB sA sB • If sA==sB“Success” ok ok Čagalj, et. al. Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. (February, 2006)Bluetooth Special Interest Group. Simple Pairing Whitepaper. // (October, 2006)
Example: Initializing home WiFi network • Camera-equipped device and wireless access point (AP) • Single LED at the AP blinksshort authentication string sB • Ephemeral tokens for your guests (AP pwd not disclosed!) MT-auth DH sA=NA NB If sA==sB“Success” KAB= gXAXB sB=NA NB KAB= gXAXB sB ok ok Contrast this with insecure WPS: Push-Button-Method by WiFi Alliance (2006)
Example: Initializing a pair of sensors • No cameras (only LEDs and a pushbutton) • User just checks that the devices blink the same states MT-auth DH • 1 • 0 • 0 • 1 • 1 • 0 • = sA=NA NB KAB= gXAXB sB=NA NB KAB= gXAXB sA sB • Ts • Ts • If sA==sB“Success” ok ok
How about securely initializing a larger group of resource-constrained device? • Group message Authentication Protocol (GAP) • Generalization of our optimal two-party protocol Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple ConstrainedWireless Devices for an Unaided User. // IEEE TMC (2012)
GAP overview • Phase 1: insecure radio channel • Devices exchange messages they want to authenticate and establish Group Authentication String (GAS) • Phase 2: visible light channel • User compares the GAS D1 D1 User D2 D2 ... ... Dn Dn Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple ConstrainedWireless Devices for an Unaided User. // IEEE TMC (2012)
GAP-Phase 1: insecure radio channel • Goal: M devices exchange and authenticate public keys IDi Step I: Gi={ID1<ID2<…<IDM} Di IDj ... ci-1 Di-1 Step II: hGi=hash(ID1,…,IDi,…,IDM) ci GASiNi ci+1 (ci, di) commit(hGi, IDi, PKi, Ni) Di+1 ... di-1 Step III: (hGj, IDj, PKj, Nj) open(cj, dj) di Verify hGi, IDj di+1 If OK, GASiGASiNj ... GASi =N1 N2 ... Ni ... NM
GAP-Phase 2: authenticated light channel • User enters group size M into one device/coordinator • Push-button can be used for this task • If group size OK, the coordinator initiates synchronized transmission of GAS (blinking LEDs) on all the devices • User verifies simultenously if GASi=GASj, for all devices D1 D1 GAS1 ok • If GAS1=GAS2= ... =GASn • “Success” GAS2 D2 D2 ok ok GASn ... ... Dn Dn
GAP security Theorem Computationally bounded attacker can succeedwithprobability at most approx 2-k(in a single session), where k is the size of the group authentication string (GAS). • User’s involvement only 15-20 bits • Recall, we can set k as low as 15-20 bits • 1 • 0 • 0 • 1 • 1 • 0 • 1 • 1 • 1 • 1 • 0 • 0 • 1 • 0 • 0 • Ts • Ts • start • end Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple ConstrainedWireless Devices for an Unaided User. // IEEE TMC (2012)
GAP usability evaluation • 27 participants (age 18-25) • GAS verification (GAS match and mismatch tests) and entering group sizes via a push-button (25 sensors) • Average System Usability Score (SUS) 80,8 (max. 100) 20 GAS verification 20 19 Entering group size 16 12 Number of testers 8 6 4 3 2 2 1 1 0 0 0 Very easy Easy Medium difficult Difficult Very difficult
Improving usability and scalability of GAP • User records the GAS procedure with a smartphone • In turn, reviews the GAS procedure offline • No special services or software on the smartphone(zero-configuration auxiliary device)
Talk outline • Basic security problem • Optimal message transfer authenticator • Group message authentication protocol • Authentication through presence • Integrity codes
Integrity codes (I-codes) • message m • The presence or absence of energy in a given time slot of duration Tsconveys information • 1 • 0 • 1 • balanced codec • 1 • 0 • 0 • 1 • 1 • 0 • on-off keying • Ts • Ts Čagalj, M.; Čapkun, S.; Rengaswamy, R.; Tsigkogiannis, I.; Srivastava, M.; Hubaux, J.-P.Integrity codes: Message Integrity Protection and Authentication over Insecure Channels // IEEE S&P (2006)
Integrity codes (I-codes) • Balanced code • Injective (one-to-one mapping) • Equal number of ones and zeros • E.g., Manchester code: 0 01 and 1 10 • Imposible to convert a codeword c0 into a different codeword c1 without flipping at least one bit 1 to bit 0 • message codeword 00 0101 01 0110 10 1001 11 1010
I-codes security I-code(m) • Assumptions • A applies I-codes to message m • B within the TX range of A • B synchronized to A wrt to the start and the end of c • B verifies that the received codeword c is balanced • Attacker cannot cancel (erase) a radio signal Theorem The attacker cannot trick device B into accepting a message that is different from the original m. attacker A B
ATMEL AT86RF211 transceiver433 MHz, FSK, Ts= 5ms I-codes transmission • Delimiter 111000 marks start and end of I-coded m • Delimiter and Manchester codewords incongruous • If attacker cannot cancel (erase) a radio signal: Any balanced codword c between delimiters is authentic
I-codes reception • Demodulation at the receiver • If average power in the symbol interval high →output 1 • If average power in the symbol interval low→ output 0 Any balanced codword c between delimiters is authentic bit 1 bit 0
Anti-blocking property of a radio channel a(t) s(t) • Received signal at B • r(t)=s(t)⊗hAB(t)+a(t)⊗haB(t)+n(t) • Attacker’s goal r(t)≈n(t) • I.e.,s(t)⊗hAB(t)+a(t)⊗haB(t)< n(t) • Attacker’s challenges • s(t) can be made physically unpredictable for the attacker • Accurate estimate of both hAB(t) and haB(t) • Many sources of uncertainty at high frequencies • Inacuracies in the antennas positions attacker channel between A/attacker and B (i.e., #paths, delay, phase, attenuation) Gaussian noise A B <
Anti-blocking property of a radio channel a(t) s(t) • 0 →1 easy • 1 → 0 very hard attacker A B bit 1 bit 0
Authentication through presence • User’s involvement minimal • Ensures the devices close-by • Turns the devices on I-codes(m) delimiter TXon • 111000011010…010101111000011010…010101111000… RXon • If I-codes(m) balancedAccept m ok
Effect of noise on I-codes • Implementation on Mica2 sensor motes • 0s → no signal during T0=10ms • 1s → 18 bytes randomized packet at 19.2kbps (T1=7.5ms)
Securing Diffie-Hellman with I-codes Given gXAPick k random bits NA mA=IDA, gXA,NA (cA,dA)=commit(mA) mB=open(cB,dB) sA=NA NB Secret key KAB= gXAXB • Given gXBPick k random bits NB • mB=IDB, gXB,NB • (cB,dB)=commit(mB) • mA=open(cA,dA) • sB=NA NB • If sA==sB“Success” • Secret key KAB= gXAXB cA A cB B dA dB I-codes(sA) ok ok
Initializing a large sensor network • Simple procedure • Place the devices close-by • Run Group message Authentication Protocol (GAP) • Let one device I-codes short GAS (group auth. string) • Ensure all the devices show “green” status I-codes(GAS) delimiter • 111000011010…010101111000011010…010101111000…
Summary • Presented mechanisms for bootstrapping initial security associations in wireless (sensor) networks • User-friendly, scalable and compatibile with resource constrained devices • Optimal message transfer authenticator • Short authentication strings • Optimal trade-off between security and user’s involvement • Integrity codes • Exploit physical properties of a radio channel • Enable authentication through presence